Evading Snort

snort

All research was carried out in my own network, please don’t try this on a live network.

New and elaborate tricks are used everyday to try and circumvent IDS detection. Some of the well known techniques are payload obfuscation, traffic insertion, packet fragmentation, among others. As soon as developers catch these attacks and patch them, new ways are concocted to evade them. Which is good news for network security technicians because there will always be that cop and robber element, one trying to outdo the other, to keep you in work. Here’s a look at a few of these techniques.

A lot of programs offer services that perform IDS evasion. Nmap has a whole range of options and evasion is one of these tools. If we search in the man pages of Nmap we can see some of the commands we could try to evade detection from IDS’s. All Intrusion Detection Systems will have different settings, but what we want to do is to test my own.

firewallIDSEvasionNMAP
Nmap Firewall/IDS Evasion Options.

A lot of the options I tried were detected by the IDS but one scan we got through was this one:

$ nmap -T0 -f –randomize-hosts -D RND:5 –data-length 15 –spoof-mac 0 192.168.0.12

By altering the packet for the scan we can successfully evade the IDS. Here we are sending the packets to the IDS extremely slowly (-T0) so that the IDS does not know that it is a scan. As we can see from the Nmap man pages we can use a decoy to hide our identity (-D). We are using (RND:5) 5 random decoys. IDS’s recognise certain types of packets and scans by an established packet length, so by changing the packet length we are able to fool the IDS (–data-length). IDS’s pick up scans that are scanning hosts one after the other sequentially, to avoid this we can send the packets randomly (–randomize-hosts). Finally to prevent the IDS from identifying where the scan is coming from we are spoofing our mac address (–spoof-mac). This evasion technique was not logged by the IDS.

Another scan I got through SNORT was a simple TCP SYN scan:

$ nmap -sS -Pn 192.168.0.12

This creates just a half open TCP connection. It sends a TCP SYN request and receives the ACK response but never finishes the three way handshake, thus letting us through undetected.

nampscanundetected
Simple Half Open TCP Scan Undetected.

We got a full Nmap scan report with open ports without the IDS logging it. 

I did get traffic through also with PackEth. PackEth is not one of the default Kali packages but can easily be installed by typing:

$ sudo apt-get install packeth

packethIPv4data

We can do quite a lot to change the packets with this software. Again by altering the packet we are sending we can evade detection from SNORT, this is a form of packet obfuscation. For PackEth to work all we need is the MAC address of the server we are testing. To get the MAC address we simply send an arp request to see who is on the network or we can use other various methods.

My IDS machine has a mac address of (I’ve hidden this) as we can see from the 192.168.0.12 IP address.

Once sent the IDS picks up nothing.

I hope this post was helpful for security people to know the vulnerabilities of IDS’s and is purely educational. All research was conducted on my own internal network. Do not try this on a live network.. Drop me a comment or share. Qubits.

2 Comments

  1. That scan mentioned is slow on purpose to fool the IDS. Yes, getting that message is normal. It may be that your target lost power or is not turned on. Or it may be that the target is blocking pings. Insert -Pn after the nmap command.

    Like

  2. When using the first nmap command with -T0 -f …, I try it on my system and it runs for about 20ish minutes only for the result to be “Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn.” Is this a normal occurrence, or what does this mean? And is there a way to avoid it?

    Like

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s